IT security managers should enable cloud computing by learning how to manage risk, Coviello says

Web 2.0 technologies and cloud computing are extending traditional enterprise network perimeters to the point that they are practically vanishing, says a report released this week by RSA, the security division of EMC Corp. The report further states that information security managers who understand the associated risks and learn how to manage them can help their companies adopt such technologies on their own terms.

The report also includes recommendations from 10 members of RSA's Security for Business Innovation Council, including chief information security officers from J.P. Morgan Chase, Motorola, eBay, Time Warner and RSA.

In this interview, RSA president Art Coviello talked about some of the report's key recommendations as well as other topics.

Why did RSA do this report? This report is about what we call the hyperextended enterprise, which is exactly what you think it would be. We are using the Internet as never before. There are more devices, there are far more Web applications and now with Web 2.0 and social networking, communication is instant and pretty constant.

Our dealings as businesspeople with customers, suppliers, partners, and even our own employees, has changed dramatically in just the last seven or eight years. The opportunity being created with technologies like virtualization and cloud computing is extending the perimeter out even more. It literally puts your IT infrastructure out of the company in many instances. So our research is on whether people have learned the lessons of the past, and if they are building security into the cloud computing environment. Unfortunately, we found out that they are not doing this as they should.

What are some the recommendations from the Security for Business Innovation Council in terms of what companies should be doing to enable cloud computing? The first recommendation is that if you are thinking of outsourcing applications and information and infrastructure then you ought to rein in the protection environment. See if there is a way to lessen the cost of security. Look at the kind of security measures you have, check them for cost effectiveness and see if there are redundancies.

[Another] recommendation is to proactively embrace new technologies on your own. The job of the security guy is not to be "Doctor No." It's not to say "you can't do stuff," but rather how you can embrace these technologies and how you can do it securely. You can never do security perfectly, but if you do it in the context of risk, you can minimize your exposure.

It also makes sense if you no longer have control of the physical infrastructure to shift from protecting the container to protecting the data. One would assume that the cloud provider is protecting the container and the physical infrastructure. Your job then is to shift from protecting the container to protecting the data and information itself. Once you go to a cloud environment, it really is about how you maximize the use of your applications and your information and how you ensure that the people who need it get access to it.

[Another recommendation] is really about protecting data with security techniques that allow you to monitor the flow of data in real time. Things like data-leak prevention technologies that are far more dynamic and are based more on content and behavior and looking for anomalies based on who is getting access, or who is using the data and how it is being used.

What impact has the recession had on information security budgets? Have they been as immune from cuts as some had expected them to be? Every budget has been impacted. There's no question about that. Relative to others though, security budgets have been impacted less. In our case we are gaining market share.

This year we had 10 percent year-over-year growth in Q1 and actually almost 11 percent from an order standpoint. Now that is down from last year, but it is still positive growth. I think a lot of high-technology companies would have been thrilled to report growth in Q1. If you were to look at our product lines, SecurID which is still a very significant portion of our business, is only flat to maybe slightly up and that would be expected because it is so employment dependent. We are not getting expansion inside existing accounts because people aren't adding lots of employees. Our security incident management business is growing at well over 30%, while our ID protection and verification suite is growing at about 40 percent, and our data leak prevention is growing at 80 or 90 percent.

Two years ago you had said that stand-alone security vendors are headed for extinction because vendors such as Microsoft, EMC and Cisco Systemd were integrating security functions into their own products. Do you still believe that will happen? I was wrong on time but not on direction. There really are only two significantly large independent companies that are totally security focused today, and that's McAfee and CheckPoint and they are anomalies.

Symantec now owns Veritas so they are as much an infrastructure company as they are a security company. And let's pick a category like data leak prevention. The three big players in that space -- IronPort, Tablus and Vontu were all snapped up.

There continue to be innovative startups and lots of point products, but increasingly, especially in cloud environments, the ability [of customers] to absorb countless numbers of independent point products tends to be less and less. We see customers wanting to minimize the amount of vendors they have because the technology really needs to be baked in. It needs to be transparent and seamless in the environment. I'm not saying there won't be security products. But I am saying the infrastructure companies are going to need their own security products and technologies and will form partnerships as we are doing with the likes of Microsoft and Cisco.

What do you think about President Obama's plans to appoint a White House cybersecurity coordinator? I think it makes tremendous sense. I think the idea of having somebody coordinate policy and to lobby strongly on Capitol Hill for the requisite funding and changes to law is a good one and I think it is very necessary.

The [National Security Agency] has a lot to offer, but people are suspicious of them because they don't have a domestic charter. Homeland Security needs to play a very heavy role and I'm sure they will. But somebody in the White House coordinating the effort and also working with civilian agencies that have a lot of personally identifiable information like the IRS and the Social Security Administration just makes tremendous sense.

This story, "RSA chief: The job of security guy is not to be 'Doctor No'" was originally published by
Computerworld.